none
Create and delete Groups in FIM portal from SQL Tables RRS feed

  • Question

  • Hello Everyone,

    do you know how i could create a group in the portal when an sql table is created and delete it when its deleted,

    + user membership of course :)

    thanks


    Hitch Bardawil

    Wednesday, July 15, 2015 2:37 PM

Answers

  • You need a action WF to set the attributes.  For the criteria, you will need to pas the XPATH. An easy way is to create a group manually and set the criteria, then copy the XPATH.

    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by HitchB52 Thursday, July 16, 2015 3:24 PM
    Thursday, July 16, 2015 2:28 PM

All replies

  • A little too vague.  Can you tell us a little more?

    Nosh Mernacaj, Identity Management Specialist

    Wednesday, July 15, 2015 2:56 PM
  • Hello !

    so to be more specific

    i have an SQL table with on column called Group name, 

    i want to create a group for each row in this table and delete the group if the row is deleted,

    i was wondering if that was possible

    thanks !


    Hitch Bardawil

    Thursday, July 16, 2015 9:53 AM
  • You can create the groups in FIM, but where are the members. So fare all I know is that you have a table with names of the groups

    GroupName,

    Group1

    Group2

    Group3

    ........


    Nosh Mernacaj, Identity Management Specialist

    Thursday, July 16, 2015 1:16 PM
  • i want to create those groups as criteria based groups and fill them up with users that have this specific criteria on one of those attributes.

    for example the table 

    Group 1 will be based on the attribute  description when the description of a user contains the value 1 

    so my question would be the gorup that we are creating in FIM from SQL can be created as a criteria based group ?


    Hitch Bardawil

    Thursday, July 16, 2015 1:29 PM
  • That is possible.  So there are 2 things here, Project the groups and set the attributes.

    In a nutshell, here is a way to accomplish this.

    1. Project these groups to MV and then to FIM Portal

    2. In FIM Portal, create a SET of all groups

    3. Create a Workflow that sets the group attributes, criteria you like

    4. Create an MPR that fires on the set above "Transition in" and applies WF above, basically setting  the attributes you like to this group

    5. Users will be added and removed automatically. 


    Nosh Mernacaj, Identity Management Specialist

    Thursday, July 16, 2015 1:42 PM
  • Thanks a lot !

    excuse my ignorance but what type of workflow do you use to set the group into criteria based groups ?


    Hitch Bardawil

    Thursday, July 16, 2015 2:09 PM
  • You need a action WF to set the attributes.  For the criteria, you will need to pas the XPATH. An easy way is to create a group manually and set the criteria, then copy the XPATH.

    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by HitchB52 Thursday, July 16, 2015 3:24 PM
    Thursday, July 16, 2015 2:28 PM
  • thanks a lot !

    Hitch Bardawil

    Thursday, July 16, 2015 3:24 PM
  • Nosh does describe a way to accomplish this task and I would like to point out an additional way. Depending on how your SQL table is populated will determine which method is preferred.

    Instead of using a workflow you could simply flow the attributes from your SQL MA into the (including the filter attribute) Metaverse and into the FIM Portal. The FIM MA would flow back out the member attribute after doing its calculations.

    Which one to use? From an effort perspective the attribute flow is easier. However, if the way in which you are generating the data in the SQL table isn't flexible enough to allow you to build the XPATH filter than a workflow may be more appropriate.

    So how is your SQL table populated? Who (what type of user) will populate it?


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Thursday, July 16, 2015 8:42 PM
  • Hello David,

    thanks for the input !

    let me try to summerise this because its a bit more complex,

    - I have a Table with the Group names, and IDs

    - i have a consultant table 

    - i created a view that links users to those groups (multivalued) 

    - the MA that creates the users in the FIM portal assigns them a custom attribute i Call Group ID

    - i'd like to create the group as a dynamic group where members are those who have the Group ID attribute set to the correct Value.

    now Nosh's idea seems cool but it would be much simple for me to do it your way since i have the info in the table

    does it look correct to you ?

    PS

    i'm still trying to find the correct xpath syntax, any link on how to do that ?

    thanks


    Hitch Bardawil

    Friday, July 17, 2015 9:24 AM
  • Hey Guys, 

    so i was able to sync the groups with the correct Filter, however when i try to export to FIM i get a 

    "Failed-creation-via-web-service" error and the fault reason is tat "Policy prohibits the request from completing"

    any ideas on why ?

    thanks


    Hitch Bardawil

    Friday, July 17, 2015 11:49 AM
  • This is because the account that synchronizes data does not have the rights to the attributes being modified. There are some MPRs that you can modify, but since you may meed to do this sooner or later, donit now. Add the built-in synchronization account to the administrators set. Create an MPR that rants administrators full access to "all objects" set. Then you are fine. MPR is a request type. Requestor is administrators. Applies to all objects.

    Nosh Mernacaj, Identity Management Specialist

    Friday, July 17, 2015 12:04 PM
  • i though about that and did as you said above, 

    and i still get this error, just when i want to add the filter directly from the metaverse 

    could it be something else than an MPR since i suppose that with the one above i have full access...

    like missing attributes ? (i can't flow the owner for example)

    thanks for helping out ! 


    Hitch Bardawil

    Friday, July 17, 2015 12:33 PM
  • Well,  you have synchronized with the MV, which is a SQL table and takes anything. The trouble is to export the data to FIM Portal, where these attributes are defined and their format is very specific.  if you don't send the right data format things will fail. To be honest, It is not that easy to accomplish what you are trying to accomplish without a little more FIM Expertise. 

    Your question on Missing Attribute, seems a little odd to me.  How can you export to a non-existing attribute?  These kinds of questions make me worry about your ability to execute such tasks, will all due respect.

    I still believe you are running against access issue, so please send me the following, screen shots.

    1. MPR you created. All Pages.

    2. Attribute Mapping in FIM Portal MA

    3. The full error (Text is fine)

    4. A sample data


    Nosh Mernacaj, Identity Management Specialist

    Friday, July 17, 2015 12:51 PM
  • no worries Nosh i guess my question was silly but i'm just brainstorming here

    i meant to say that maybe i have to specify an owner to a group in the fim portal or it doesn't allow me to create .. (since i get a error if i create the group manually and don't specify one)  


    now to get back to the issue at Hand:

    i think i found the reason for the error is the syntax of the Xpath that i'm exporting, 

    i just copied it from an existing criteria based group and added it as a persistent flow to the filter Attribute but for some reason it's adding quotes 

    this is what i have in my sync rule :

    <Filter xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" Dialect=""http://schemas.microsoft.com/2006/11/XPathFilterDialect"" xmlns=""http://schemas.xmlsoap.org/ws/2004/09/enumeration"">/Person[cordee =<o:p></o:p>


    the quotes and > < are going crazy !<o:p></o:p>


    Hitch Bardawil

    Friday, July 17, 2015 1:08 PM
  • Awesome.  That is what I referred to bad data.  Is it exporting fine now?

    Nosh Mernacaj, Identity Management Specialist

    Friday, July 17, 2015 1:10 PM
  • yep ! i have no idea why when i put a single quote(") in the sync rule, it turns into a double quote ("")

    thanks for the help

    much apreciated !


    Hitch Bardawil

    Friday, July 17, 2015 1:20 PM
  • Devil is in the details. :)

    Nosh Mernacaj, Identity Management Specialist

    Friday, July 17, 2015 2:37 PM